Background
Supply chain cybersecurity is an integral part of security management and refers to efforts conducted by an organisation to ensure cybersecurity within the supply chain. It is a subset of supply chain security and is focused on the management and mitigation of cybersecurity threats to information technology systems, software and networks.
Over the past decades, the nuclear supply chain has experienced a number of significant changes. As nuclear power plants continue to operate longer than originally planned due to life extension programmes, the availability of suitable spare parts has become limited as many of the original manufacturers are no longer in business. In response, facility operators are looking to more readily use commercial grade items – while needing to ensure that they are not counterfeit, fraudulent or suspect items. At the same time, the increasing reliance on digital systems combined with the continued globalisation of the IT industry has increased the need to ensure cybersecurity is maintained throughout the entire supply chain. Additionally, the use of service suppliers, such as contractor personnel and transportation, necessitates the need for procurement processes that consider nuclear security risks. Finally, in countries embarking on nuclear power programmes for the first time, there is a desire to localise as much of the supply chain as possible. This too may introduce risks to nuclear safety and security if the necessary qualification and oversight processes are not in place.
As procuring new equipment and system is part of the natural lifecycle of any industry, mitigations to supply chain vulnerabilities must be embedded in the lifecycle itself. These solutions exist, although none by itself will provide a 100% guarantee of security, but together they will strengthen and consolidate the security posture of a business.
Renewed attention towards cybersecurity; the rise and appearance of clearer security standards and maturity models; and not least the appetite markets have shown for more “certified secure” hardware and software, are all factors that have contributed to improving the situation in the last decade and pushed for the availability of products that – by design – incorporate some levels of security. Some of the potential solutions to strengthen the cybersecurity of the supply chain include:
- Establishing a list of trusted vendors and/or requiring all vendors to follow certain security certifications or maturity models.
- Embedding security natively in products requirements and using a procurement language designed for security.
- Ensuring the whole product lifecycle is conceived with security in mind, particularly regarding maintenance and upgrades.
Objectives
The purpose of this webinar was to briefly review supply chain in the nuclear industry and its potential vulnerability to cyber threats. It examined case studies of supply chain cyberattacks and possible mitigations and countermeasures for effective supply chain cybersecurity.
Our special guests for the webinar were the following:
- Mr. John Pringle, Head of Supply Chain Security at the UK’s Atomic Weapons Establishment (AWE).
- Ms. Pulkit Mohan, Junior Fellow at the Centre for Security, Strategy and Technology (CSST) at the Observer Research Foundation (ORF).
- Ms. Thea Coughlan, Senior Category Manager at the UK’s Atomic Weapons Establishment (AWE).
Agenda
- Introduction to supply chain and cyber threats
- Case study
- https://blog.opengroup.org/2021/01/20/solorigate-a-case-study-for-why-supply-chain-security-is-critical-for-governments-and-businesses/
- https://www.bbc.com/news/world-57394831
- Best practices in supply chain cybersecurity
